Netherlands DPA (AP) clarifies legal questions regarding the use of Facial Recognition Technology under the GDPR.

The Dutch Data Protection Authority, Autoriteit Persoonsgegevens (AP) has published a new guide that addresses and clarifies frequently asked legal questions about the use of facial recognition technology. The document is primarily designed for privacy professionals and organisations that plan to use facial recognition. However, AP has gone further and featured a document which includes guidance for consumers, aiding them in understanding how to protect their own privacy with regard to the use of facial recognition technology. AP’s legal framework provides guidance on various aspects of facial recognition, including data collection, storage, processing, and usage. The guidance published by the DPA emphasises the need for transparency and accountability when using facial recognition technology. It also highlights the importance of obtaining informed consent from individuals before collecting and processing their facial recognition data. The new legal framework is a significant development in the regulation of facial recognition technology in the Netherlands. It provides much-needed clarity on the legal requirements surrounding the use of this technology. Organisations that use or plan to use facial recognition technology should familiarise themselves with the new legal framework to ensure compliance.

The use of facial recognition is generally restricted by the GDPR due to its significant implications for privacy and data protection, and any exceptions or the need for carrying out a data protection impact assessment under certain circumstances should be observed.

Facial recognition technology poses various ethical concerns and privacy implications due to the fact that it involves the processing of biometric data, which is classified as a special category of personal data. According to the Dutch Implementation Act of the General Data Protection Regulation (GDPR), facial recognition is generally prohibited. However, there are some exceptions to this rule. One main exception of this is when facial recognition is essential for authentication or security purposes. An example of this is the protection of a nuclear power plant. The legal framework for facial recognition recently expanded to include the security of hazardous substances, such as those potentially used in bomb production. In 2023, the AP adopted a code of conduct for port companies involved in international shipping traffic. This code permits the use of facial recognition for protecting these dangerous substances under specific conditions. However, such usage is only allowed after a thorough data protection impact assessment (DPIA) has been conducted, demonstrating both necessity and compelling public interest in its application for this specific usage.

AP provided guidance on the personal use of Facial Recognition Technology to aid consumers in making informed decisions and protecting their privacy. 

According to Article 9 of the GDPR, the processing of special categories of data is strictly prohibited, except, among other cases, where a data subject has given explicit consent to the processing for one or more specific purposes. In this recently published guidance, AP clarifies that the processing ban on special categories of personal data definitely applies to facial recognition used for identity verification, resolving any ambiguity. Any personal or household use of facial recognition would be exempt under the GDPR, and therefore from any bans in this context. An example given is unlocking a phone using facial recognition, which is allowed as long as the biometric data is stored solely on the phone and the user maintains control over its usage. Furthermore, users must be given the option to choose between facial recognition and alternative methods like a PIN code for unlocking their device. As consumers increasingly encounter facial recognition technologies, the AP has also published specific guidance to help them navigate the legal landscape. By understanding how facial recognition operates and the circumstances under which its use is or is not allowed, consumers can make informed decisions and assert their privacy rights effectively.

At Aphaia, we commit to being the partner guiding you through a comprehensive journey of strengthening your data defences, ensuring compliance, and providing peace of mind in an ever-evolving digital landscape. Take that first step today, and let’s improve your practices and achieve trustworthy AI. Contact Aphaia today to find out more.